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INFO RMAT I ON FOR A RAD I O TRANSM I SSION AND FOR " 

-AUTHENTICATING OF SI IRSCRIRFRS- 

The invention is directed to a method for the encryption of information 
for a radio transmission and for authentication of subscribers in a 
communication system and is also directed to a corresponding 
communication system. . ^ _ 

Communication systems such as^ for ox a mp l ft y, the mobile radio 
telephone system according to the GSM standard (global system for mobile 
communication) use a radio interface for wireless information transmission^ • 
connoot i ons between mobile stations and base stations of a mobile radio 
telephone network, bc i ng capab l e of be i ng - setup, released and maintained 
on^md radio interface. A method and a system for encryption (ciphering) 
information for radio transmission and for subscriber authentication are 
known from the article "Safety First bei europaweiter Mobilkommjunikation" 



telcom report 16 (1993), No. 6, pages 326 through 329. The^ mobile 

K 

subscribers -thefeby identify themselves with respect to the mobile radio 

telephone network using a m e ans - a l so r e ferred to subscriber identity 

mobile -af(sil\/l)card /that is contained in the radio telephone subscriber 

station. At the network side, the mobile subscriber is registered in a nrreaf^- 

fer— exampte, an authentication means (authentication center) / that 

respectively offers security parameters and security algorithms for the 

protection of the subscriber data of the mobile subscribers. The encryption 

of the information on the radio interface, ef=f&t:tes subscriber-related and is 

A A 
directly coupled to the subscriber authentication. 

In future communication systems.such as ^or - oxam pia, a universal 

A 

network (UMTS, universal mobile telecommunication system or UPT, 

universal personal communication), there is 4l=te tendency to divide the 

A 

infrastructure into an access network and into one or more core networks. 



The area of the access network 4s-tf^efetJy responsible for matters of the 

radio interface such as administration and allocation of the radio channels, 

channel encoding, encryption via the radio interface e tc., i n contrag t 

A 

wherete the area of the core network is mainly responsible for matters of the 
subscriberadministrationsuchas registration (subscription), authentication, 
selection of the access network, etc., as well as for offering services. An 
encryption of the information for the radio transmission independently of the 
core network is impossible in the current GSM system. Over and above this, 
a radio resource, for example the radio channel, is exclusively used for only 
one subscriber in the encryption, namely the subscriber that was 
authenticated at the moment,.-teis. no longer b ei ng adequatef if=f future 
communication systems, particularly given simultaneous use of a mobile 

A/ 

station by a plurality of subscribers (for example, with their SIM cards). 

The invention is based on the object of specifying a method and a 
communication system that enables an encryption of the information at the 
radio interface independently of the nature and plurality of core networks, ee- 
^'^^h^^^nctional separation of encryption and authentication d er ive s . 
^^•^^ Th i o - objoot is i nv e nt i vely ach i e v ed by the method compr i s i ng tho - 
f ddlui eb ur pdl ei i l Udi i 1 1 1 ' and by th6 T X)mmun i cat i on syotom comphs i n g the ^ 
-fea tu r es 01 pa le n l c l a i m 12: Developments of the Invention can be defwed — ^ 
. from th o cubclemns : 

The subject matter of the invention proceeds from an encryption of the 

information for the radio transmission in an access network as well as from 

an authentication in at least one core network. Inventively, public keys are 

transmitted in alternation between a mobile station that can be used in 

parallel by a plurality of subscribers and the base station, being sent via the 

radio interface, and the public key received by the base station or^ 

fes p ectf ve ty^ mobile station is employed for the encryption of the information 

to be subsequently transmitted via the radio interface. The encrypted 

information received by the mobile station or^ cpo e t i vo lyt base station can 

be deciphe^re^on the basis of a private key that is allocated in the mobile 

station or^ rospoctivol-yy in the base station to the public key that was 
A. 



transmitted. Following the deciphering procedure, the authentication of the 
respective core network is implemented by a.meef=»6 of the mobile station, 
and the authentication of the subscriber is implemented by the mean s of the 
core network on the basis of the encrypted information transmitted in 
5 alternation. 

As a result of the mutual transmission of public keys between mobile 
^ station and base station, the encryption for the radio transmission canef=^stte 

t\ mobile station-related instead of subscriber-related and, thus, can 

simultaneously ensue for a plurality of subscribers. There is a bidirectional, 
1 0 trusted relationship into which an "apparent" base station or an unauthorized 

base station cannot intervene. Another advantage is the functional 
(v;=S separation of access network /(responsible for encryptiorj)^ and core 

(\i!g network^Qresponslble for authentication/ The radio resource is multiply 

JTj utilized for the encryption of a plurality of subscribers at the mobile station. 

'^0 15 The information required for the authentication procedure can already be 

A :5 transmitted encrypted, ^h i 3 hav i ng not been possible in the previous GSM 

■JS system. Maximum secuhty is achieved by the combination of the encryption 

■'i with public/private keys at the mobile station level and the following 

Q authentication at the subscriber level. In particular, a plurality of core 

2 0 networks - potentially of different network types - can be connected parallel 

to the access network due to the functional separation of access network 
and core network, and, in particular, a plurality of subscribers having 
different identities (SIM cards) can communicate simultaneously via a mobile 
station and in different core networks. 
25 No third party can subsequently sneak into the secure connection, 

achieved by multiple, mutual transmission of the public keys. The following 
Os^ authentication assures that the respective partnej^meeB^-of the connection - 

i.e., the base ^station from the point of view of the mobile station or, 
respectively, the mobile station from the point of view of the base station - 
C)^ 3 0 is also in fact the ^^ ^dns that it pretended to be at the beginning of the 

communication. 



An advantageous development of the invention provides that the 

(X^ mobile station first sends a first public key to the base station,.-*haHattef 

(\ A/i'^c/i ^^^^ 

^ ^- us i ng th r s for the encryption of the information, and a public key is sent from 

the base station to the mobile station that employs it for the encryption of the 
5 information. Subsequently, the mobile station sends a second public key to 

the base station. The involvement of an "apparent" base station or of the 
unauthorized base station into the connection is thus dependably prevented 
at the radio interface. The second key thereby preferably replaces the first 
key. 

10 According to an alternative development of the invention, the base 

station first sends a first public key to the mobile station, which employs it for 
encryption of the information, and the mobile station sends a public key to 
the base station, which employs it for the encryption of the information. 
Subsequently, the base station sends a second public key to the mobile 
15 station. The involvement of the "apparent" base station or of the 

unauthorized base station in the connection is thus dependably prevented 
at the radio interface. The second key is thereby preferably replaced by the 
first key. 

It is advantageous according to another development of the invention 
2 0 that the mobile station sends a subscriber identity of the subscriber and an 

authentication request to the core network in encrypted form and receives 
an authentication reply from the m e ans of th e core network sent back to it 
in encrypted form. Subsequently, the mobile station implements an 
authentication procedure for checking the identity of the core network. A 
(\ 2 5 network authentication thus efrs«es at the side of the mobile station„Jm«*. 

^ bo i ng copab lo of ijgtrrg individually implementec^particularl^^tven a plurality 
of core networks dependent on where the subscriber is registered. 
(Xv The means of t h e core network preferably sends an authentication 

request in addition to the authentication reply in encrypted fashion, and an 
'^^^ 3 0 authentication reply is sent back to the m eans f r om t l 't e mobile station in 

^^^^ encrypted form. Subsequently, ihe-nrreans-ef the core network can 

implement an authentication procedure for checking the subscriber identity. 



This has the advantage that the request for checking the subscriber 

authentication can be co-transmitted with the reply of the network-meaf^ to 

the network authentication and can be initiated by the network moon s- 

A 

immediately upon arrival of the reply. 

A communication system according to the invention comprises 
memory means as a mobile station that can be used in parallel by a plurality 
of subscribers and of the base station for storing public keys and private 



keys that are allocated to the public keys. Transmission devices in the 

(K- mobile station and in the base station.e^e^o the mutual transmission of the 

1 0 public keys via the radio interface. Control devices in the mobile station and 

in the base station are provided for the encryption of the information to be 

subsequently transmitted via the radio interface upon employment of the 

^rs public key received from the base station or^ sp e ct i ve l- v ^ mobile station and 

for deciphering the received, encrypted information on the basis of the 

==2 15 stored, appertaining private key. Over and above this, the communication 

system comprises a subscriber-specific mea«s- in the mobile station and a 

control moano in the respective core network for the implementation of the 
A 

authentication of the core network as well as of the authentication of the 
subscribers on the basis of mutually transmitted, encrypted information. 
2 0 The invention is explained in greater detail below on the basis of an 

exemplary embodiment with reference to the graphic illustration. 

Th o r o by chown Qf ■ e ^ 

/kp . , 

FIG. 1 4he- block circuit diagram of a communication system with an 

A- 

access network for the radio transmission and a plurality of 
2 5 core networks for the authentication; 

(h^ FIG. 2 ^te- message flo\%forthe encryption of the information at the 

radio interface between a mobile station and a base station of 

the access network; and 
fx FIG. 3 message f lovv for fhe authentication of the subscribers and 

(K. 30 of the core networks between the mobile station and arretworlr 

means e rf the respective core network. 



The cx)mmunication system show in FIG. 1 is a communication system 
UNW - such as ^or - oxa mftLa^ a universal UMTS or UPT network (universal 
mobile telecommunication system or universal personal telecommunication) 
- whose infrastructure is divided into an access network ACN and into one 
5 or more core networks CON1 , C0N2. The area of the access network ACN 

having devices of a radio sub-system - such asy ^ or cxampte ^ base stations 
BS and base station controllers BSC connected^ y=teFetG — -^e 4h e r eby 
responsible for matters of the radio interface such as administration and 
allocation of radio channels, channel encoding, encryption via the radio 
10 interface, etc. The area of the core network CON1, CON2 with network 

equipment - such as^ for oxampia , switching equipment MSC, MSC and 
yO authentication equipment AC, AC - is mainly responsible for matters of 

m routing, of subscriber administration such as registration (subscription) of the 

jTj subscribers S1, S2 as well as authentication, selection of the access 

yy 15 network ACN, etc., and for offering services. The authentication procedures 

OsiL^ in the moon e AC, AC preferably use secret keys ki according to the known 

r=1 A 

m procedure of the GSM standard in order to implement the subscriber 

% authentication for the subscriber S1 registered in the core network CON1 

Q and for the subscriber S2 registered in the core network C0N2 in parallel 

2 0 and independently of the access network ACN. 

In the present example, the switching equipment MSC, MSC in the 
core networks CON1 and C0N2 are connected to the base station controller 
BSC of the access network ACN. The base station controller BSC enables 
the connection to at least one base station, to the base station BS in the 

2 5 present example. Such a base station BS is a radio station that is provided 

for coverage of a radio area - for example, of a radio cell - in order to setup, 
release and maintain connections from/to at least one mobile station MT that 
(X-^ resides in its radio area via radio interface Al. The information are thereby- 

contained in a radio channel RCH allocated by the base station controller 

3 0 BSC. The connections can be a matter of outgoing connections as well as 

of incoming connections. The mobile station MT in the present example is 
especially suited for simultaneous use by a plurality of subscribers S1 and 



S2 that are attached in parallel to an internal bus (not shown) on the basis 

of their subscriber-specific devices SIM (subscriber identity module) and 

each have respectively separate subscriber identity. 
A-* 

The mobile station MT comprises a memory ffloono MSP, a 
5 tf dnbM i isg i un " £i iid l ocopt i on moans MSE as well as control devices MST 

MST that are connected to the memory means MSP and^ transmiss t on and 
<X- -feeeptten means MSE. Likewise, the base station BS comprises a memory 

moQ R C BSP, a tronom i os i on ana rocoption means BSE as well as a Gontro J- 
^ -ffteaf^s BST that is connected to the memory fnoan e BSP and ttaiibiiiisbiun- 
10 . fcinJ i' oc o pt i on mco fts BSE. 

According to the invention, the mobile station MT -sldLiui i-ieldled via 
ON^O tl= ^ transm i ssi o n an d roc o pt i on motm s MSE - sends a first public key PUK1 - 

ffl MT via the radio interface A! in parallel for all subscribers active at it and 

makes note of an appertaining, private key PRK1 -MT that is deposited in the 
OCri 15 memory meaf=^s. MSP or in the ^ontro l moanc MST. The base station BS 

1^ employs the received, public key PUK1-MT for the encryption of the 

r:n information to be subsequently sent via the radio interface Al. , The 

% deciphering of the information sent by the base station BS is thus only 

possible for th^^^^^ that knows the appertaining private key, i.e.^the 

2 0 mobile station MT with the key PRK1 -MT. Jfin turn sends a public PUK-BS 

In the reply of the base station BS in the opposite direction to the mobile 

station MT and makes note of the appertaining private key PRK1-BS. The 

v>\^ memory moong BSP or th ^contro l rR eaos BST stores the private key PRK1 - 

BS. It is thus assured that information subsequently sent by the mobile 

Ov. 2 5 station MT to the base station BS. these-betrrg encrypted upon employment 

A- 

of the public key PUK1-BS, can only in turn be deciphered by the base 
^-station BS or, respBcttveJ y , the c o ntrol moons DGT I I le i eor 

In order to prevent an "apparent" base station or unauthorized base 
station from using the public key PUK1-MT communicated from the mobile 

3 0 station MS for sending correctly encrypted information, arbitrarily or 

A/ 

intentionally/, the mobile station MT sends a second public key PUK2-MT 
(already encrypted) to the base station BS via the radio interface Al. This 



8 

key PUK2-MT can only be read and employed by the correct base station BS 
with which a trusted relationship was initially set up on the mobile station 
level. The "apparent" base station or unauthorized base station is 
dependably suppressed in this-frrj: The second public key P U K2-MT^t h e r e by 
replaces the previous, first public key PUK1-MT. The same is true 

A; 

Other transmission direction when the mutual transmission of the keys was 
initiated by the base station BS. 

The encryption procedure can likewisebe initiated by the base station 
BS, so that thatfef fe iiii ssiuM a i id ' i ecfcipti u n moohc BSE sends a first public 
key PUK1 -BS to the mobile station MT<satd f i rst publ i c key PUK1 - DO hav i ng 
a private key PRK1 -BS allocated to it and betng stored in the^ con t ro l meong 
BST or in the memory -means BSP. The mobile station MT employs the 
arriving, public key PUK1 -BS for encryption of the- fo ll ow i ng information^and 
in turn sends a public key PUK-MT to the base station BS that employs it for 
the encryption of the information in the opposite direction. Subsequently, 
the base station BS preferably sends a second public key PUK2-BS to the 
mobile station MT in order to be absolutely certain that an undesired base 
station does not mix itself into the encrypted information transmission via the 
radio channel or Hston to tnre. The public as well as the private keys are 
composed, for example, of a numerical sequence or bit sequence. 

Following the encrypti9n procedure, the mobile station MT - 
preferably, the^meef^ SIM provided only for the authentication^or a control 
means MST responsible in common for encryption and authentication - 
implements the authenticatiop of the respective core network C0N1 , CON2, 
and the moonc AC, AC of the core network CON1, C0N2 implements the 
authentication of the subscriber S1 , S2 on the basis of mutually transmitted, 
encrypted information at the subscriber level (see Fig. 3). The bidirectional 
authentication is thus implemented independently of the access network 
ACN. The authentication appended to the encryption offers maximum 
security since i^t^assures that the cooperatin^^^^S^of the connection is in 



fact the ^mea^ that it identified itself as- at the beginning of the 
communication. This prevents the overall communication on this connection 



from having been initiated by an "apparent" base station or unauthorized 
base station. Another advantage of the functional separation of encryption 
and authentication is eompriood thereof that the subscriber identities and the 
information required for the authentication - for example, random number 
^ 5 RAND, signed response SRES according to a GSM method - can already be 

transmitted encrypted via the radio interface Al. Authentication procedures 
deviating from GSM methods can also be employed for the authentication. 

A plurality of core networks /^the two core networks C0N1 , C0N2 in 
the present example/, even if different network types, can be connected 
10 parallel to the access network ACN. The subscribers S1, S2 simultaneously 

.=3 work with different SIM cards via the one mobile station MT in different core 

)2 networks - in the two core networks CON1 , C0N2 in the present example - 

M or, respectively, one or more subscribers S1, S2 work in a single core 

CXyj network, for example C0N1 Farther, the functional separation of^access 

Ixii 15 network ACN and core network C0N1 , CON2 also supports configurations 

wner eiR the access network ACN and the core network or networks CON1 , 

A 

rn CON2 exhibit different network operators. 

1;^ In a schematic illustration, FIG. 2 shows the message flow for 

O encryption of the information for the radio transmission betw^er^the mobile 

CnI- 2 0 station MT andjhe base station BS of the access network. Ttie* example is 

thereby limited thereto that the mutual exchange of the keys is initiated by 
A 

the mobile static MT. The base station BS could likewise begin the 
exchange (also see the description for FIG. 1); the following message flow 
would then be executed in a corresponding way. 

25 After the allocation of the radio channel RCH for a connection setup 

for communication, the mobile station MT starts the encryption in that it 
transmits the public key PUK1-MT in a message SEND and makes note of 
the appertaining, private key PRK1 -MT. The encrypted transmission of the 
information has thus begun at the radio interface. The base station BS uses 

30 the arriving key PUK1-MT for encrypted information transmission in the 

opposite direction, and in turn transmits the public key PUK-BS in the 
message SEND. It also makes note of the private key PRK1 -BS belonging 





10 

to the public key PUK-BS. The information transmitted in encrypted form - 
at least the public key PUK-BS in the present case - can only be deciphered 
by the mobile station MT with the assistance of the private key PRK1-MT 
that is only known to it. After the deciphering, the mobile station MT sends 
5 a second public key PUK-MT to the base station BS in a further message 

SEND, this base station BS deciphering the arriving information - at least the 
second public key PUK2-MT in the present case - with the assistance of the 
private key PRK1 -BS that is only known to it. The second public key PUK2- 
MT thereby replaces the previous, first public key PUK1-MT. . A trusted 

10 relationship has thus been produced between the two devices third parties 

^not bem§- capable of penetrating -jfrte this relationship. 

In a schematic illustration, FIG. 3 shows the message flow for 
authentication of the subscribers S1 , S2 registered in different core networks 
and for authentication of the respective core network. Messages are tl=teret?y 

15 transmitted between the subscribers S1 , S2 using the mobile station MT and 

the network equipment AC, AC (authentication center) of the respective core 
network, ,-beme transmitted transparently for the access network and the 
base station trtereof. 

A. 

First, the subscriber S1 or, respectively, the mobile station MT . Jl 
2 0 transmits an authentication request aureq-mt via the subscriber-epeeme 

flFtearrs (SIM) for the subscriber and a subschber identity SID - on the bas i s 
(jf » i e subscHb Hr= fo l Qtod S I M card ^ in the message SEND to the^,FReeft6 AC ^ ^ 
of the core net\Afork resp9nsible/or the subscriber S1 . The transmission of 

In the opposite direction, the 




the information tfforoby onouos encrypted. 
- moQr>G AC returns an authentication reply s 



2 5 - moQr>G AG returns an authentication reply aures-co in the message SEND 
A 

to the mobile station MT that implements the authentication procedure - with, 
preferably, a secret key - for checking the authentication for the core 
network. With the authentication reply aures-co, an authentication request . 
aureq-co is preferably simultaneously co-transmitted from th^^meafw AC of 

3 0 the core network in encrypted form and is received by the mobile station MT. 

In response thefeto, the mobile station returns an authentication reply aures- 
mt in the message SEND to themeaas AC in encrypted form and subscriber- 



related/^dlU iiibfans AC iro plomont i n f- the authentication procedure for 
checking the subscriber authentication — likewise, preferably, upon 

A /I 

employment of secret keys. An authentication in only one direction - i.e., 
only for the subscribers or for the network - is also fundamentally possible. 



effew 



The executive sequence for the authentication of the subscriber S2 



above contents between the corresponding, subscribe nspooifiomoano (SIN) 
of the mobile station MT and the f=^etwofk m Qa nc AC' of the other core 
network responsible for it. As a result of the combination of encryption at the 
radio interface from/to the access network>/ achieved on the basis of 
repeatedly exchanged public keys on the mobile station level, and following 
the authentication using secret keys on the subscriber level from/to the core 
network independently of the access network, maximum security is achieved ♦ 
^'ef=»€l access network ^^responsible for the encryption^ —af^ core network or 
networks /{responsible for authentication)/nonetheless remain functionally 

A A 

separate. 



^6 atC7 



